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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
Survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


[| Yes 


K No 


Q2 If not, please specify where improvements could be made. 


It isn't clear what is “new” and therefore what is the impact of the new 
aspects of data protection legislation on data sharing. On balance it may 
be more desirable to simply state the current position rather than a 
comparison with the old, but this guidance is not clear on what is new if 
that is the overall intention. 


Q3 Does the draft code cover the right issues about data sharing? 
[I Yes 


K No 
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Q4_~—siIf no, what other issues would you like to be covered in it? 


The biggest issue is whether the data contains personal data and how 
data sharing agreements are used in anonymisation. This is partly 
covered in the ICO anonymisation code of practice but this document is 
very long and complex and some overlap here would be useful. 

Some recognition of the grey areas of what is personal data would be 
helpful. 


There is also a lack of information about sharing data for research 
purposes and the possible exemptions, some examples would be useful. 


It is unclear why the use of data sharing contracts is recommended and 
not mandated. This could lead to ambiguity as to whether they are 
required. Maybe some examples would be useful to explain the different 
situations. We would typically use data sharing contracts as one of the 
robust controls when releasing data for secondary research purposes. 


It is unfortunate that Annex A and B are not available in the draft. 


Q5 Does the draft code contain the right level of detail? 
Yes 


U No 


Q6 If no, in what areas should there be more detail within the draft 
code? 


It is reasonably well signposted so that sections which are unlikely to be 
relevant to our members can be skipped. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation's data sharing practices? 
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[1 Yes 


K No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


There are no examples of sharing research data or mention specifically 
of Universities or public bodies as types of organisations who would 
share data; we would consider that use of a broader range of examples 
would help organisations engage with the guidance document and draw 
parallels with their activities. 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


Yes 


[| No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 


It would be helpful to include specific detailed examples of good practice 
within an Annex 


Qii1 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


Yes 
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O No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Further examples from sharing data for research purposes would be 
valuable 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


[|] Yes 


K No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


1. There were numerous references to the ICO website, but the links 
do not lead directly to the relevant material, and the website is 
not easy to navigate to find the relevant material 

. Top of page 13 in misconception box ‘you can usually share 
without consent if you have a good reason to do so’ - this is 
relevant to the research community but is not covered again in 


the document. When is ‘usually’? And what is a ‘good reason’? 
Examples would be useful. 

3. Top of page 17- real life examples- none of these are research 
activity. Research is mentioned very few times. Trial or study not 
at all. What are ‘statistical purposes’; examples would again be 
helpful? 
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. Page 37 ‘you must identify at least one legal basis for sharing 
data’ -the section on legal basis and legitimate interests may be 
open to misinterpretation. 

. Pg44. Under ‘How do we comply...’, there is a statement that says 
‘unless an exemption or exception applies’. What are these, and 
how does the reader find out further details? 

. Pg48 paragraph 1. ‘You should undertake an information risk 
analysis’. Are there suggested templates for this, to educate us on 
how one should be performed? 

. Pg 48. Paragraph 1.‘You should regularly test, assess and 
evaluate your security provision’.How regularly? 

. Pg 60. ‘What are the legal powers...?’— Whilst we appreciate each 
organisation’s situation may be different, it would be helpful if 
more detail could be provided, even if this is just a list of 
considerations. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


Strongly agree 

Agree 

Neither agree nor disagree 
Disagree 

Strongly disagree 

Q16 Are you answering as: 


L] An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 
On behalf of an organisation 
O Other 


Please specify the name of your organisation: 


UKCRC Registered CTU Network 
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Thank you for taking the time to share your views and experience. 


